Microsoft is announcing the availability of an automated Microsoft Fix it solution that disables the Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7. Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time.

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Applying the automated Microsoft Fix It solution described in Microsoft Knowledge Base Article 2719662 disables the Windows Sidebar experience and all Gadget functionality.

Recommendation. Customers who are concerned about vulnerable or malicious Gadgets should apply the automated Fix It solution as soon as possible. For more information, see the Suggested Actions section of this advisory.

Microsoft fix kills Windows Gadgets, warns it could lead to PC hijacks

Microsoft has warned that a Gadgets feature included in Vista and later versions of Windows could allow attackers to hijack end-user machines and has taken the unusual step of issuing an temporary update that allows it to be completely disabled.

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system." To be successful, they added: "An attacker would have to convince a user to install and enable a vulnerable Gadget."

We are not sure, meaning, those in the security community, have implemented both, some desktop gadget functionality is removed, yet desktop gadgets can still be enabled, this is a fix that does not completely work.
I cannot say with 100 % certainty, which is which, or, what will do what.

Thankful said:

Is 50906 "Enable" or "Disable"?
The headings and explanations show conflicating results.

i know some love those gadgets but imo good riddance. i dont use them nor will i ever. over the life of vista and 7 i have seen so many issues from them causing problems with various clients im personally glad to see them go.

I did read the thread and as a result of reading the thread I have two questions...
1. I'm not using any Gadgets, so does that mean I need to do anything?
2. I have no idea where to find Sidebars (I looked in Accessories), so where is it?

The vulnerabilities discussed in the Advisory involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets.
Does anyone know if I still need to disable Gadgets if I am not running any of them?

I would just get rid of them altogether. Go to control panel, Programs and features, turn Windows features on or off, uncheck Windows gadget platform, reboot when prompted, done. No more gadgets.

Click to expand...

@ xxJackxx ...
Thanks, that was very clear! I did as you suggested.
To date, I have been relying upon the description from Microsoft that states, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

To date, I have been relying upon the description from Microsoft that states, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

Click to expand...

Which may be easier to have happen than one would suspect. If you for example install something like Norton Internet Security (or many other products) it installs a desktop gadget as part of the installation and opens it. An attacker would not need to prompt "Hey, install this gadget and run it too", they could slip it into many other processes. I'm sure most of the folks here would not get into that situation to begin with, but it probably wouldn't be any harder than it would be to slip a browser toolbar into your system. Better safe than sorry.

An attacker would have to convince a user to install and enable a vulnerable Gadget.

Click to expand...

Well, I'm not very knowledgeable on the topic, but it would seem that the operative phrase is "vulnerable Gadget."
Doesn't seem to me that NIS would install a vulnerable gadget on a user's system.
Bottom line, though, is as you stated... better safe than sorry.